[Phpmyadmin-devel] sessions/cookies vs. javascript

[Marc Delisle]

Garvin Hicking a écrit :
> Hi!
> 
> 
>>securing session data/handling is part of the system not of the application
>>(like some days ago someone said window hijacking is part of
>>the browser not the app)
> 
> 
> We would make it too easy for us to say so, especially if we are able to bypass
> this. If we really just use PHP sessions and pay no attention to their security,
> we need to make phpMyAdmin still work without sessions. Most of the shared
> hosting providers to not ensure different session.save_path settings...
> 
> 
>>even with open_basedir disabled, to open a file from the tmp dir you need the
>>exact name, as normaly listing dir contents is not allowed
> 
> 
> Why do you think that? I can open and list my /tmp directory on all 3 hosts I
> just checked:
> 
> <?php
> $d = opendir('/tmp');
> while (($file = readdir($d)) !== false) {
> echo $file . "\n";
> }
> 
> 
>>and guessing the right session id is nearly impossible:
> 
> 
> That's true of course. :)
> 
> 
>>>Also we need to think about what bad can happen when someone hijacks your
>>>session id, or uses session fixation.
>>
>>authentication information does not require to be stored in the session!
>>authentication system can stay as it is!
> 

But.... users deactivating cookies in their browser currently cannot 
benefit from the login panel.
> 
> Yes, I think it's better to rely on the current system than to use a (much
> easier) PHP session auth.
> 
> Regards,
> Garvin
> 
>